Online retailer Vision Direct, which bills itself as being Europe's largest online contact lenses supplier, has been warning customers that it suffered a data breach from Nov. 3 until Nov. 8.

"The personal information compromised includes full name, address, telephone number, email address, password and payment card information," the company says in its data breach notification. "This includes your card number, expiry date and CVV. Unfortunately this information could be used to conduct fraudulent transactions."

Signs of Magecart at Work

Dutch security research Willem de Groot discovered the underlying attack campaign in September. He says it appears to be part of the e-commerce payment form hijacking attacks that are broadly known as Magecart, which have been ascribed to multiple cybercrime groups.

Vision Direct, in its notification, advises all potentially affected customers to change their Vision Direct password as well as to watch their credit card and bank statements for signs of fraud.

Vision Direct didn't immediately respond to a request for comment.

But a copy of the data breach notification that it has been emailing to potentially affected customers, shared by Australian data breach expert Troy Hunt, says that Vision Direct has expunged the attack code from its site and is "working with the authorities to investigate how this theft occurred."

Per the Payment Card Industry Data Security Standard specifications, storing any CVV data - in encrypted form or otherwise - is prohibited. Mikko Hypponen, chief research officer at Finnish cybersecurity firm F-Secure, said the likely modus operandi was attackers using software designed to surreptitiously copy and steal this data.

Troy Mursch of Bad Packets Report says that assessment appears to be true. Using an archived copy of the Vision Direct site, Mursch found a fake Google Analytics script - no doubt planted by attackers - that included the ability to harvest payment card data.

Dutch information security consultant Willem de Groot tells Information Security Media Group that he discovered this attack campaign in early September, well before Vision Direct was hacked. He says the campaign appears to have been running since at least May.

This attack employs a domain called g-analytics.com. "The domain 'g-analytics.com' is not owned by Google, as opposed to its legitimate 'google-analytics.com' counterpart," de Groot says in his September blog post. The fraud is hosted on a dodgy Russian/Romanian/Dutch/Dubai network called HostSailor. The malware behaves pretty much like the real Google Analytics, and it wouldn't raise any dev [development] eyebrows while monitoring Chrome's waterfall chart."

The fake Google analytics website was registered on May 31, de Groot tells ISMG, meaning it's likely been used as part of attacks against other sites too. In the bigger picture, meanwhile, "similar domains are in use as exfiltration servers, such as g-statistic.com, google-anaiytic.com [and] msn-analytics.com," he says.

He's ascribed these attacks to Magecart, an umbrella term that he says refers to at least eight cybercrime groups that have collectively waged a prolific series of hack attacks against e-commerce sites that have resulted in thousands of compromised sites (see: Magecart Cybercrime Groups Harvest Payment Card Data).

"For the record, Magecart is an umbrella term for payment form jacking, although some media use it - incorrectly - to identify a specific source," he says. "Based on modus operandi, code patterns and such, there are at least eight distinct groups involved with form-jacking campaigns. And because the exploit toolkits are for sale on the dark web, yet more groups are expected to enter the space."

In a security FAQ on its website, the company states: "When you pay online, no one at Vision Direct can see your full card details - just the last four digits of the long number for verification purposes. The https:// at the beginning of the URL verifies that it is a safe transaction."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.